Web lists-archives.com

Re: [Samba] Samba 4.6.5 Active Directory on CentOS




On 7/2/2017 3:30 AM, Rowland Penny via samba wrote:
On Sat, 1 Jul 2017 17:12:30 -0500
John Schmerold via samba <samba@xxxxxxxxxxxxxxx> wrote:

I am using Jeff Bales' procedure for configuring SAMBA with Active
Directory
https://thingsdomakesense.wordpress.com/2017/06/06/installing-samba-4-6-5-active-directory-on-centos-7-1611/

When everything is all said & done everything seems to work, but I am
not able to configure home directories because the users don't have
local Linux accounts - I suspect I need to bind Linux's user table to
Active Directory, but cannot seem to make this happen. Any advise?

I am using this to add users:

samba-tool user create user P@ssrod4 --uid=user --uid-number=10001
--gid-number=100 --unix-home=/home/user --home-directory=/home/user
--login-shell=/bin/bash --gecos='user' --given-name=Happy
--surname=User


Not much wrong with that howto, as far as it goes, apart from this step:

mv /etc/krb5.conf /etc/krb5.conf.bak
cp /usr/local/samba/share/setup/krb5.conf /etc/krb5.conf

Yes, you might want to make a copy of the original krb5.conf, but you
should do it after the provision and the krb5.conf it tells you to
copy is the wrong one. The last line is totally redundant anyway, it
tells you to copy the correct one after the provision.

Now for what is probably wrong with your DC:

The howto tells you start Samba by just running 'samba' , did this
actually work ? Probably not, because 'samba' will be
in /usr/local/samba/sbin and this will not be in your path.

The howto also doesn't tell you that if you want to use a DC as a
fileserver, you need to create a few links for libnss_winbind.so.
Without these links, getent etc will not work and you need them to work
to have Unix users (and no, you cannot have users in /etc/passwd and
AD, same goes for groups)

See here for howto create the links:

https://wiki.samba.org/index.php/Libnss_winbind_Links

The howto also doesn't tell you that, on a DC, the 'unixHomeDirectory'
and 'loginShell' attributes are ignored. Once you have 'getent'
working, you will find that all your users have their Unix home
directories set to '/home/DOMAIN/username' and their shell will be
'/bin/false', see here for how to fix this:

https://wiki.samba.org/index.php/Configuring_Winbindd_on_a_Samba_AD_DC

Finally, [homes] doesn't work on a DC, see here:

https://wiki.samba.org/index.php/User_Home_Folders

Rowland

Thanks for the spot-on advice. Jeff Bales' procedure was a great start, needed a few tweaks. The server fully functioning as a DC, I was able to get homes working by adding this bit of magic to [homes]: root preexec = bash -c '[[ -d /home/%U ]] || mkdir -p -m 0700 /home/%U && chown %U:users /home/%U'

I have this configured in a VMWare environment, so there is no reason not to setup a separate DC, but that will have to keep for another day.

John Schmerold
St Louis, MO

--
To unsubscribe from this list go to the following URL and read the
instructions:  https://lists.samba.org/mailman/options/samba